Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-08
CVE-2021-4392 - Ecommerce Product Catalog Plugin
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.43. This is due to missing or incorrect nonce validation on the implecode_save_products_meta() function. This makes it possible for unauthenticated attackers to save product meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ecommerce Product Catalog
CVE-2021-4392
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4391 - Woo Gift Cards Lite Plugin
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the mwb_wgm_save_post() function. This makes it possible for unauthenticated attackers to modify product gift card details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woo Gift Cards Lite
CVE-2021-4391
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4390 - Contact Form 7 Style Plugin
The Contact Form 7 Style plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_wp_posts_be_qe_save_post() function. This makes it possible for unauthenticated attackers to quick edit templates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Contact Form 7 Style
CVE-2021-4390
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4389 - Wp Travel Plugin
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Travel
CVE-2021-4389
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4388 - Opal Estate Plugin
The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties.
PLUGIN
Opal Estate
CVE-2021-4388
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4387 - Opal Estate Plugin
The Opal Estate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.11. This is due to missing or incorrect nonce validation on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Opal Estate
CVE-2021-4387
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4386 - Wp Security Questions Plugin
The WP Security Question plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Security Questions
CVE-2021-4386
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4385 - Wp Private Content Plus Plugin
The WP Private Content Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_groups() function. This makes it possible for unauthenticated attackers to add new group members via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Private Content Plus
CVE-2021-4385
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4384 - Photo Contest Plugin
The WordPress Photo Gallery – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the load_images_thumbnail() and edit_gallery() functions. This makes it possible for unauthenticated attackers to edit galleries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Photo Contest
CVE-2021-4384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1602 - Short Url Plugin
The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Short Url
CVE-2023-1602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3407 - Subscribe2 Plugin
The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to users on sites running a vulnerable version of this plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Subscribe2
CVE-2023-3407
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1844 - Subscribe2 Plugin
The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.
PLUGIN
Subscribe2
CVE-2023-1844
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3427 - Salon Booking System Plugin
The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Salon Booking System
CVE-2023-3427
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-2743 - Before 1 Plugin
The ERP WordPress plugin before 1.12.4 does not sanitise and escape the employee_name parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 1
CVE-2023-2743
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2624 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator
PLUGIN
Before 3
CVE-2023-2624
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2795 - Before 0 Plugin
The CodeColorer WordPress plugin before 0.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 0
CVE-2023-2795
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2711 - Ultimate Product Catalog Plugin
The Ultimate Product Catalog WordPress plugin before 5.2.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Ultimate Product Catalog
CVE-2023-2711
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2627 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings
PLUGIN
Before 3
CVE-2023-2627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2623 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users
PLUGIN
Before 3
CVE-2023-2623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2326 - Gravity Forms Google Sheet Connector Plugin
The Gravity Forms Google Sheet Connector WordPress plugin before 1.3.5, gsheetconnector-gravityforms-pro WordPress plugin through 1.3.5 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
PLUGIN
Gravity Forms Google Sheet Connector
CVE-2023-2326
Risk Score